Bug Bounty Hunting for Web Security: Find and Exploit Vulnerabilities in Web sites and Applications

© Sanjib Sinha 2019

S. SinhaBug Bounty Hunting for Web Securityhttps://doi.org/10.1007/978-1-4842-5391-5_1

1. Introduction to Hunting Bugs

Sanjib Sinha¹ 

(1)

Howrah, West Bengal, India

Why do we learn to hunt bugs? It is difficult to answer this question in one sentence. There are several reasons, and reasons vary from person to person.

The first and foremost reason is we want to be better security professionals or researchers.

When a security professional is able to hunt security bugs in any web application, it gains them recognition; and because they are helping the whole community to remain safe and secure, it earns them respect as well. At the same time, the successful bug hunter usually gets a bounty for their effort. Almost every big web application, including Google, Facebook, and Twitter, has its own bug hunting and bounty program. So learning to hunt bugs may also help you to earn some extra money. There are many security experts and researchers who make this their profession and earn regular money by hunting bugs.

Reading this book will give you insight into implementing an offensive approach to hunting bugs in web applications. However, that knowledge should never be used for malpractice. You are learning these attacking techniques for defending web applications as a penetration tester (pen tester) or an ethical hacker. As a security professional, you are supposed to point out those bugs to your client so that they can rectify the vulnerabilities and thwart any malicious attack to their application.

Therefore before moving any further, we should keep this important caveat in mind: without having permission from the owners, you may not and should not attack a web application. With permissions, yes, you may move forward to hunt bugs and make a detailed report of what can be done to defend against them.

There are also several good platforms (we will talk about them in a minute) that allow you to work for them, and as a beginner, you’d better get registered with those platforms and hunt bugs for them. The greatest advantage is you get immense help from fellow senior security professionals. While you earn you will learn, and it is secured. You are hunting bugs or finding exploits and vulnerabilities with the owner’s permission.

As a beginner, you should not try these techniques on any live web application on your own. In many countries, attacking the system without the owner’s permission is against the law. It may land you in jail and end your career as a security professional.

Therefore, it is better to be registered with the bug bounty platforms and play the game according to the rules. We urge you to use the information contained in this book for lawful purposes; if you use it for unlawful purposes and end up in trouble, the author and the publisher will not be responsible.

In my opinion, if you are only interested in the bounty, you will not learn anything and finally, you are not eligible to earn money and respect. Finding exploits and vulnerabilities demands a very steep learning curve. You need to know many things, including web application architecture, how the Web evolves, what are the core defense mechanisms, the key technology behind the Web (e.g., HTTP protocol, encoding schemes), etc. You must be aware of the mapping of the web application and different types of attacks that can take place. In this book, we will learn these and more together.

Now we can try to summarize the bug bounty program in one sentence.

Many web applications and software developers offer a bounty to hunt bugs; it also earns recognition and respect, depending on how well you are able to find the exploits and vulnerabilities.

If you prefer a shorter definition than the previous one, here it is:

An ethical hacker who is paid to find vulnerabilities in software and web sites is called a bug bounty hunter.

Bug Bounty Platforms

As I have said, as a beginner one should try the bug bounty platforms first and stick around for a long time to learn the tricks and techniques. In reality, not only beginners but many experienced security professionals are attached to such platforms and regularly hack for them.

There are many advantages. First, we should keep lawfulness in our minds. Through these platforms, you know what you may do and what you may not do. It’s very important. Another essential aspect is you can constantly keep in touch with the security community, getting feedback and learning new things.

Here is an incomplete list of bug bounty platforms. Many good platforms will definitely come out in the future.

Hackerone

www.hackerone.com/

Bugcrowd

www.bugcrowd.com/

BountyFactory

https://bountyfactory.io

Synack

www.synack.com/

Hackenproof

https://hackenproof.com/

Zerocopter

https://zerocopter.com/

Japan bug bounty program

https://bugbounty.jp/

Cobalt

https://cobalt.io/

Bug bounty programs list

www.bugcrowd.com/bug-bounty-list/

AntiHack

www.antihack.me/

However, before registering to any of these previously mentioned bug bounty platforms, you should understand a few things first. You need to know how to use a virtual machine and the hacker’s operating system Kali Linux. You must learn to operate tools like Burp Suite, OWASP ZAP, WebGoat, and a few others. You need to sharpen your skill in your virtual lab. There are a few web applications that allow hacking them, or they are made intentionally vulnerable so that beginners may try their newly adopted hacking skill.

We will discuss them in the coming sections.

Introducing Burp Suite, OWASP ZAP, and WebGoat

To start with tools like Burp Suite, OWASP ZAP, and WebGoat, you need to install Kali Linux in your virtual box. We will do that for one reason: Kali Linux comes up with all these tools by default. Therefore you don’t have to install them separately. I strongly recommend using the virtual machine and Kali Linux; do not use these hacking tools in your own system, be it Windows, Linux, or Mac. They either can break your system or do not work properly.

We will talk about the Kali Linux installation process in great detail in the next chapter. After that, we will learn to operate three essential tools: Burp Suite, OWASP ZAP, and WebGoat. As we progress, we will see that more tools are needed. We will learn those tools also when the situation demands.

© Sanjib Sinha 2019

S. SinhaBug Bounty Hunting for Web Securityhttps://doi.org/10.1007/978-1-4842-5391-5_2

2. Setting Up Your Environment

Sanjib Sinha¹ 

(1)

Howrah, West Bengal, India

A virtual environment, or virtualization, is not mandatory for the experienced ethical hacker. As an experienced ethical hacker, you can run Kali Linux as your main system and perform the hacking using mainly a terminal with the help of a programming language such as Python, or you can use selected tools like Metasploit. However, for beginners, virtualization is compulsory.

Let me explain very briefly why it is important. Hacking can change the system completely. If you don’t understand the state of the system well, you might change the state of your main system inadvertently. As a beginner, you cannot take that risk; therefore, always practice using a virtual machine. The easiest of them is VirtualBox, so I have chosen it to show you all types of bug hunting.

As an aspiring ethical hacker and penetration tester, you should become capable of building virtual and physical labs to use for practice, as this lets you install as many operating systems as necessary. Using virtual machines, you can safely break any system and change the state in your VirtualBox. It would not affect the main system.

Why We Need a Virtual Environment

Virtualization is important for any type of penetration testing. You are going to learn how to find security vulnerabilities in any web application, and that needs a lot of practice before you actually approach a client to do the same on their live system. So we need a simulated environment first, a network security lab where we can practice, to learn and understand every trick of hunting bugs so that we can implement them on the live applications later as security professionals.

There are also other important considerations, like, since virtualization provides you a simulated environment, your main system is not touched. If you break your operating system by mistake while experimenting with any hacking-related tools, it happens inside your virtual system. You can reinstall the damaged operating system again. Another important aspect is that we have to stay within the law—always. We must practice our hacking-related tools in a legal way on our own systems.

You can also safely browse any web sites in a virtual environment. If some malicious code enters into your simulated environment, let it stay; it won’t touch your main system. I simply encourage you to do every type of testing. It is a virtual machine. So, go ahead; test everything that comes to mind.

During my long information security research career, I have tested many hypervisors. However, keeping in mind that you may run your virtualization on any operating system in a simple way without facing any problem, I strongly recommend using VirtualBox. Irrespective of any operating system, VirtualBox is the best security lab solution for beginners. We will discuss the advantages in a minute.

Just to let you know, there are several other hypervisors. Security professionals use some of them; however, most of them are targeted for specific operating systems. KVM is good for Linux. For Windows, VMware player is a good solution; Windows Virtual PC is also good, but you cannot run Linux distributions inside it. For macOS, both VMware and Virtual PC are good options including QEMU and Parallels. VirtualBox can run on any operating system.

Installing VirtualBox is very simple. Whatever your operating system is, all it requires is a few clicks or typing a few commands. If you are using Windows, go to the Oracle VirtualBox page and download the latest version available. It’ll simply guide you to the virtualization.

Note

For VirtualBox, you need to have an ISO image to install any operating system.

I’ll go through the Ubuntu Linux install in detail